Cloud Security Flashcards
What are the three aspects of information security?
Confidentiality, Integrity and Availability
What does AWS Security Token Service (STS) do?
Issue temporary credentials
What is an IAM role?
It is an AWS identity that defines and provides temporary security credentials to access resources and make API requests
What is the compliance standard for information security?
ISO/IEC 27001 Framework
What is SIEM
Security Information and Event Management - Big data threat intelligence with automated response
What is an IDS?
Intrusion Detection Systems
What is the difference between resource and identity based policies?
Identity based is attached to an identity, indicating what they can do
Resource based is attached to a resource allowing specific users or groups to perform certain API requests
What is the different between inline and managed policies?
Inline policies are embedded in a principal identity (group, user or role)
Managed policies are standalone identity based policies
What are the security design principles?
There are 7
- Apply principle of least privilege
- Enable traceability
- Secure all layers
- Automate security (infrastructure as code)
- Protect data in transit and at rest
- Prepare for security events
- Minimise the attack surface
What is TLS?
Transport Layer Security
What are MSOs and MSPs and what do they do?
Managed Services Organisation or Managed Service Providers (external) create guardrails for security, data protection and disaster recovery in the company
What is the benefit of elasticity in the cloud?
Creates systems that can scale on demand
What can a company use to ensure high availability during an attack?
Automatic scaling
What security principle addresses monitoring, auditing, alerting actions and changes to the environment
Enable traceability
What is a best practice for automation that can assist with providing a repeatable secure infrastructure?
Implement infrastructure as code
What are the two things IAM provides?
Authentication - Who
Authorisation - What
What are the two primary types of credentials used for authentication
Username and password
AWS Access Key
What is the IAM Authentication best policy for long-term access?
To attach IAM Policies to groups and assign users to groups
What does the AWS Organisation Service Control Policy (SCP) do?
Defines the maximum permissions for the account members of an OU
How does AWS determine permissions with policies?
An explicit deny overrides any allow statement
Which AWS Services provide identity federation to AWS Accounts and applications?
SSO and IAM (for multiple directories)
What does AWS Directory Service do?
Allows you to use existing on-premises user credentials to access cloud resources
What does Amazon Cognito do?
Enable user sign up, sign in and access control with web and mobile applications
What can Amazon VPC do?
Provision a logically isolated section of the AWS Cloud to launch resources
- Select IP address range
- Create subnets
- Configure route tables and network gateways
What is an internet gateway?
Provides a target in VPC route tables for internet-routable addresses
Performs NAT for instances with public IPv4 addresses
What does a NAT Gateway do?
Supports instances in a private subnet to connect to the internet
Prevents the internet from initiating connection
What does a NAT gateway require you to specify?
Public subnet to reside
Elastic IP address to associate with the gateway
What does the interface require when external traffic needs to reach an interface
A public IP Address on the interface and a route on the subnet’s route table
What is the largest and smallest CIDR block?
/16 is the largest, /28 the smallest
How many IP Addresses does AWS reserve in CIDR blocks?
5 addresses
0 - network address
1 - internal communication
2 - DNS resolution
3 - future use
255 - broadcast
What two things can you do with an elastic network interface?
Attach it to an instance, detach it and attach to a different one to reroute network traffic
What is a security group?
A security group acts as a virtual firewall for an EC2 instance and controls traffic
What do stateful security groups do?
Deny all inbound traffic and allow all outbound traffic
What is a NACL?
Network Access Control Lists act as virtual firewalls on the VPC level to control traffic in and out of subnets.
Are network ACLs stateful or stateless?
Stateless. They can either deny or allow inbound and outbound traffic
What are the features of the default network ACL?
All inbound and outbound traffic is allowed
What are the features of a default custom network ACL?
All inbound and outbound traffic is denied.
Differentiate between security groups and network ACLs
Security groups are interface level, but network ACLs are subnet level
Security groups support allow rules only, but network ACLs support both allow and deny rules.
Security groups are stateful, but network ACLs are stateless.
For security groups, all rules are evaluated before the decision is made to allow traffic.
For network ACLs, rules are evaluated in number order before the decision is made to allow traffic
What does ELB do? What are its three types?
Distributes incoming traffic and supports high availability with health checks
Provides
- Classic Load Balancer
- Network Load Balancer
- Application Load Balancer
What three features serve as data protection in ELB?
Single Point of Contact
Encryption at rest
Encryption in transit
What are the best practices to protect your network? (4)
Control traffic at all layers
Inspect and filter at application level
Automate network protection
Limit exposure
What does Amazon Inspector do?
Run automated security assessments on EC2 instances and applications to find vulnerabilities
What does AWS Systems manager do?
Lets you view operational data from multiple AWS services
What are the three tiers of a web application?
Presentation, Application and data
What does S3 Block public Access do?
Helps manage access to S3 resources
What are the Amazon S3 Protection features?
- Block public access
- Versioning
- Object Lock
What does Object lock do?
Stores objects using write-once read-many
What are the two object lock retention modes?
Governance - users need special permissions to alter settings
Compliance - cannot be altered by any user
What are the two types of protection through encryption?
Client side encryption and server side encryption
What are the types of server side encryption?
SSE-C, SSE-S3 and SSE-KMS
How do you protect data in transit?
Use SSL (Secure Socket Layer) endpoints over TLS (Transport layer security)
Use encryption
Use VPC
What is AWS ACM?
Amazon Certificate Manager provides an interface to manage both public and private certificates
What is AWS CA?
Certificate Authority can manage private CAs to issue certificates
What are the data protection best practices?
Presigned url for temporary access
Use S3 protection features
Enabla MFA for deletion
What is AWS Secrets Manager?
Manages access to secrets
What is Amazon Macie?
Machine learning service that can discover, classify and protect sensitive data in AWS
What is logging?
The collection and recording of activity and data
What are the 4 things logging is useful for?
- Troubleshooting
- Auditing
- Recordkeeping
- Incident Response and remediation
What is monitoring
The continuous verification of the security and performance of applications and data
What does CloudTrail do?
Records actions taken by user, role or AWS Account
What are the AWS services with built in logs?
S3 - server access logs
VPC - Flow logs (inbound and outbound IP traffic)
ELB - access logs
What is Amazon CloudWatch?
Monitors resource and application performance
D C A
What are the best practices for logging and monitoring?
Define organisational requirements
Configure service and application logging
Analyse your logs centrally
What does Trusted Advisor do?
Provides recommendations based on cost optimization, security, fault tolerance, service limits and performance imporvements
What is amazon EventBridge?
A serverless event bus service
What is AWS Security hub?
Automated cloud security monitor that aggregates security alerts from various services
What does amazon Config do?
Assess, audit and evaluate resource configurations
What is incident recognition and response?
A set of information security policies and procedures that can be used to identify, contain and eliminate cyber attacks
What are the two phases of incident response?
Discovery and recognition - identify, log and categorise
Resolution and recover - isolate, stage and deploy fix
What does Amazon GuardDuty do?
Continuous security monitoring service to identify unauthorised and malicious activity
What does Amazon Shield do?
Automatically protects network from a DDoS attack
Name the AWS Services that support the discovery and recognition phase?
CloudWatch (monitoring solution)
Trusted Advisor
Config
Inspector
Shield
GuardDuty
What does CloudFormation do?
Model and setup AWS resources with templates
What is SNS?
Simple Notification Service - apps, end users and devices can send and receive notifications from the cloud
What is AWS Step functions?
Visual workflow service that developers use to build event-driven applications
What is AWS Lambda
Serverless event driven compute service that can run code on demand
